b'                         U.S. ELECTION ASSISTANCE COMMISSION\n\n                                  OFFICE OF INSPECTOR GENERAL\n\n                                1225 New York Ave. NW - Suite 1100 \n\n                                      Washington, DC 20005\n\n\n\n                                                                                October 2, 2006\n\nMemorandum\n\nTo:             Thomas Wilkey\n                Executive Director\n\nFrom:\t          Curtis Crider\n                Inspector General\n\nSubject: \t      Non Compliance with the Federal Information Security Management Act\n                by the U.S. Election Assistance Commission (Assignment No. I-EV-EAC-\n                02-06)\n\n       The U.S. Election Assistance Commission (EAC) has not complied with the\nFederal Information Security Management Act (FISMA).\n\n        FISMA (Section 3544) requires the Head of each Federal agency to provide\n\xe2\x80\x9cinformation security protections commensurate with the risk and magnitude of the harm\nresulting from unauthorized access, use, disclosure, disruption, modification, or\ndestruction of --\n\n(i) information collected or maintained by or on behalf of the agency; and\n\n(ii) information systems used or operated by an agency or by a contractor of an agency or\nother organization on behalf of an agency.\xe2\x80\x9d\n\n       EAC is a small Federal agency; it has an annual operating budget of\napproximately $15 million and employees less that 30 people. More importantly, it does\nnot own or operate any information technology (IT) systems. Thus, we believe, the\nimpact of its non compliance is minor. Nonetheless, the Office of Management and\nBudget (OMB) advised1 in its fiscal year 2004 reporting requirements for micro-agencies\n(agencies that employ fewer that 100 Federal employees) that:\n\n         All the requirements established in FISMA apply to all agencies\n         regardless of their size. OMB has developed an abridged reporting\n         format for micro-agencies. This abridged template for micro-agencies\n         does not exempt them from FISMA requirements and OMB guidance . . .\n\n\n\n1\n See OMB Memorandum M-04-25, FY 2004 Reporting Instructions for the Federal Information Security\nManagement Act, dated August 23, 2004.\n\x0cDISCUSSION\n\n        Congress authorized the EAC with the passage of the Help America Vote Act\n(HAVA) in October 2002. According to HAVA, the duties of EAC are to \xe2\x80\x9cserve as a\nnational clearinghouse and resource for the compilation of information and review of\nprocedures with respect to the administration of Federal Elections . . . .\xe2\x80\x9d EAC\xe2\x80\x99s first full\nyear of operation was fiscal year 2004. Since that time, it has not submitted any reports\nto OMB on its information security management.\n\n        The fiscal year 2006 budget for EAC, excluding funds transferred to the National\nInstitute of Standards and Technology, was about $14 million and included 26 full time\nequivalents. The major budget categories were research and development, personal\ncompensation and benefits, and other services.\n\n        The General Services Administration (GSA) provides administrative support and\nrelated IT services for personnel management, payroll, and financial management to EAC\nunder three reimbursable agreements. GSA also furnishes IT support by maintaining\nEAC\xe2\x80\x99s Local Area Network and electronic mail. EAC\xe2\x80\x99s website is operated by an\nindependent contractor.\n\n       EAC has not yet established policies and procedures for information security or\nprivacy management.\n\n\nRECOMMENDATIONS\n\nWe recommend that the Executive Director:\n\n   1.\t Establish and implement policies and procedures for information security and\n       privacy management.\n\n   2.\t Comply with the applicable provisions of FISMA and OMB implementing \n\n       guidance. \n\n\n\nRESPONSE TO MEMORANDUM\n\n       Please provide a response to this memorandum by November 3, 2006. Your reply\nshould indicate whether you agree or disagree with the recommendations and, if\napplicable, include a plan of action for implementing the recommendations. The plan\nshould include target dates and the name of the official responsible for implementing the\nrecommendations.\n\n        The legislation creating the Office of Inspector General requires that we report to\nthe Congress semiannually on all reports issued, actions taken to implement our\nrecommendations, and recommendations that have not been implemented. Therefore,\nthis report will be included in the next semiannual report.\n\x0c'